I want to hide a text file by moving it to $Extend directory (What is this directory?). So I run cmd as Administrator and run the below code :
C:\Windows\system32>copy I:\ToHide.txt I:\$Extend
Access is denied.
0 file(s) copied.
C:\Windows\system32>
As you see, I couldn't and I received Access Denied error. So I tried to takeown the destination directory ($Extend) and change its ACLs as below :
C:\Windows\system32>takeown /f I:\$Extend
SUCCESS: The file (or folder): "I:\$Extend" now owned by user "Abraham-VAIO\Abra
ham".
C:\Windows\system32>cacls I:\$Extend /G Abraham:F
Are you sure (Y/N)?Y
The system cannot find the file specified.
C:\Windows\system32>
Q1: Why cacls couldn't see this directory, while takeown could!?
After that, I use the below python code :
import win32api
import win32con
import win32security
FILENAME = "I:\\$Extend"
open (FILENAME, "w").close ()
print "I am", win32api.GetUserNameEx (win32con.NameSamCompatible)
sd = win32security.GetFileSecurity (FILENAME, win32security.OWNER_SECURITY_INFORMATION)
owner_sid = sd.GetSecurityDescriptorOwner ()
name, domain, type = win32security.LookupAccountSid (None, owner_sid)
print "File owned by %s\\%s" % (domain, name)
And I receive Access Denied again :
>>> ================================ RESTART ================================
>>>
Traceback (most recent call last):
File "C:\Users\Abraham\Desktop\teste.py", line 6, in <module>
open (FILENAME, "w").close ()
IOError: [Errno 13] Permission denied: 'I:\\$Extend'
>>>
Q2: Is this python code equal to takeown or it is an alternative for cacls?
Q3: Why I receive access denied,while I run idle (and after that python in command-line) as Administrator?
Last questions :
Q4: Why I can't open this directory using Windows Explorer, While I can open it using WinRAR? Does Windows restrict some APIs for Explorer but they are available for other softwares?
By the way, Is there any way to I achieve my goal using Python or C++ or ...? (Hiding something in $Extend directory)
In general, you can access the MFT directly by opening \.\PhysicalDriveX - which is the underlying physical disk (X is the number of the disk you want to open) - and then parse the disk directly, i.e. find the partition offset from the Master Boot Record, then parse the first NTFS sector and from there find the location of the MFT.
There is a great open source sample of how to parse the MFT in the ntfsfastfind project, see here: http://home.comcast.net/~lang.dennis/console/ntfsfastfind/ntfsfastfind.html
I also recommend that you read about NTFS internals here: http://technet.microsoft.com/en-us/library/cc781134(v=ws.10).aspx http://ntfs.com/ntfs-mft.htm